The number of targeted cyber-attacks continue to grow at an alarming rate.  Successful cyberattacks on businesses can have a serious impact such as loss of IT services because of a breach, suffering financial loss or reporting a loss of operational services.

Having cyber insurance will not remove the risk of a cyberattack but it will reduce the risk and exposure to your business in the event of one. Successful attacks on businesses can have a serious impact with many suffering a financial loss or reporting a loss of operational services. Data breaches, leaks and data losses can incur massive regulatory fines, the potential for suppliers or clients to launch legal action, and cause serious reputational damage.

Many SMEs haven’t considered cyber insurance because they haven’t thought about how a cyberattack would impact their business. For example, a small retail outlet will have insured their business against fire because it is a threat to their business they can visualise and see as a genuine risk to their bricks-and-mortar business that could not operate if the business burnt down. However, they probably haven’t considered the impact of a cyberattack on an online booking system, an email platform, or a spreadsheet of customer information. The fallout has the potential to result in crippling financial losses and legal ramifications to the business.

Corporate businesses have an advantage that SMEs don’t. They will have IT staff or partner firms that have the necessary skills to put security policies in place and regularly check that systems are secure. Sole traders and micro SME’s typically don’t have access to these specialised skills and can’t typically afford to implement them. They are extremely exposed and it is imperative that the owners of small businesses and their staff are cyber-aware.

If your business operates with computers, IT and network systems and the internet, you are at risk of a cyberattack. Consider the following questions to help evaluate your degree of risk.

• Have you moved your data or some client data to the cloud?
• Do you have an SSL cert on your website if using your website to complete financial transactions?
• Have you analysed the risk that hybrid home working/office environments bring?
• What systems, platforms, apps do you use on your laptop, phone, or computer to communicate with clients, suppliers, and staff, and are they secure?
• Having considered key areas of exposure do you have the relevant procedural and technical controls in place?
• When investing in new technology or platforms do you consider the security implications?
• Have you reviewed cloud service security?
• Do you have platform and cloud Service Level agreements in place with your suppliers?
• Have you completed a digital security assessment and followed up with definitive answers to all your concerns?
• Do employees use their own devices for work and if so have you thought about the potential risks and mitigations?
• Are you communicating security awareness to staff and partners and ensuring they are fully engaged with your cybersecurity protocols?

Perhaps the most relevant example are the thousands of fake shopping websites that are facilitating various purchase-related frauds. These websites sometimes masquerade as official or related sites from reputable and recognised brands. They trick people into sharing personal information and their credit or debit card information, which usually is then used for fraudulent purposes. Once the user shares this information, they may not receive the goods they purchased or could receive counterfeit goods in their place.

Another example is where fraudulent websites try to entice people to click a link. This link can trigger the download of malware. Malware is the collective term that describes malicious software. It’s not all about capturing an innocent victim’s credit card details, there are more sophisticated attacks that target large institutions such as banks, tech, and big pharmaceutical companies in an attempt to steal intellectual property.

The pandemic has witnessed more businesses than ever migrating to digital platforms, with many forced to pivot to online platforms to enable customer online engagement and commerce. The alternative for these businesses is permanent closure. However, many don’t realise the risks associated with moving online and fail to put contingency plans in place. Instead, they rush the process of putting their business systems online and may not consider or know to ask certain security questions. Business owners must ask if they have the same security and control of their data on digital platforms, systems, and in general on the cloud, as they did prior to migrating online. GDPR places the onus on the business owner to ensure their systems are secure, so no one should ever assume they are secure and should seek an answer from their digital provider.

The cyber insurance policy holder will normally be asked by their insurer to sign up to a statement of fact, confirming they have:

– anti-virus protection and a firewall already in place
– a back-up recovery procedure
– encrypted portable devices and phones
– an up-to-date disaster recovery application
– a patch management system on all software

Policy holders can be caught out under the “Conditions Precedent” in their policy terms.

As the cyber insurance market hardens, some insurance providers are restricting cover, increasing rates and reducing protection across the board. In addition to this hardening market, recent changes in contractual requirements and increasing regulatory obligations have seen the need for larger limits increase significantly. Sheridan Insurances can arrange a flexible excess to top up your primary insurance cover which helps to ensure your business is protected against the increasing likelihood of multiple cyber events during a single policy period.

The EU’s General Data Protection Regulation (GDPR) impacts every business throughout Europe, including Ireland.

One of the legislation’s key requirements is that any confidential data held about customers or suppliers must be processed in a manner that ensures an appropriate level of security. In the event of a cyberattack, the enforcement of GDPR can result in a business being fined up to €20 million or four per cent of turnover (whichever is the greater).

There are a number of steps you should take to comply with GDPR regulations:

• allocate responsibility for cyber and data security and an IT security plan to an experienced manager within the business
• ensure you are familiar with what steps to take in the event of a data breach, including notifying the Information Commissioner’s Office (ICO) within 72 hours (and where required any people that have been affected by the breach)
• review whether any sensitive or confidential data you hold should be pseudonymised and encrypted

For a comprehensive list of compliance requirements, please visit the official EU GDPR site at https://gdpr.eu/compliance/.

In the wake of a cyberattack, cyber insurance will cover most of the costs associated with the cyberattack or data breach. In the first instance, an investigation will take place. Your insurer’s cybersecurity specialists will research the origin of the breach, what systems and data were compromised, identify who needs to be notified and how to communicate the breach, and determine what actions need to be put in place to fix the areas of risk. The specialists will also identify solutions for future risk mitigation. Your cyber insurance policy will help cover the costs of this investigation, including any costs associated with notifying the necessary authorities and affected person or persons, investigating the incident or incidents, putting in place measures to contain the damage, and recover any data that has been affected. It may cover or will assist towards any fines and legal costs. Your cyber insurance should cover the financial impact of the incident including but not limited to the loss of business, as well as regulatory fines.

When a criminal or team of criminals demand compensation in return for decrypting and return your data, this is called a ransomware attack. If your business is the victim of a ransomware attack, your cyber insurance policy will provide access to a specialised team of cyber experts that will help trace and track down those responsible as well as try to recover your data on your behalf.

It is important to act immediately in the event of a cyberattack because it will directly impact your indemnity period which has a maximum period of three months as part of any cyber insurance policy. The indemnity period is the specified period of time for which compensation is payable under your business interruption policy. This could mean the period during which the income of the business is affected by the cyber event or the reinstatement of services affected by the cyberattack. Your cyber insurance policy will provide further details.

Cyber insurance doesn’t have to cost the earth and can start from a few hundred euros. The most important thing is to ensure that it covers the unique needs of your business. As with most insurance, there is a pre-qualification questionnaire; make sure the criteria match your needs and that you qualify for the cover by disclosing the necessary information at the beginning. The factors that will affect your premium are:

• your occupation: some businesses or professions will attract a higher premium than others.
• the nature of your business: the more sensitive and confidential data you hold about your customers and suppliers, the higher your cyber risk. For example, utility companies, doctors and hospitals will face a higher risk than other businesses and occupations such as a hardware supply shop.
• the turnover of a business: the higher the turnover the higher your cyber risk.
• the cover you require: you might be concerned with loss of revenue, damage to your systems and services, customer data loss and claims by third parties.
• the amounts or limits on the cover you need.